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METHOD AND APPARATUS FOR PROVIDING NODE SECURITY IN 
A ROUTER OF A PACKET NETWORK 

FIELD OF THE INVENTION 

5 

This invention relates in general to data communication 
systems, and more specifically to a method and apparatus for providing 
node security in a router of a packet data network. 

10 BACKGROUND OF THE INVENTION 

Packet data communication networks that are accessible to the 
public are subject to intrusion and disruption by predatory elements, 
such as hackers. By targeting a few critical nodes with a destructive 

15 virus or worm, it is possible to take down an entire network. Prior-art 
routers have done little more than reading header information and 
forwarding each data packet to the destination indicated in the 
associated header. This has provided no protection to destination 
devices, including computers and other routers that might be harmed 

20 by the user data carried by the data packet. 

Thus, what is needed is a method and apparatus for providing 
node security in a router of a packet network. Preferably, the method 
and apparatus will be able to detect and eliminate potentially harmful 
data packets soon after they enter the network, and before they can 

25 reach destinations where they can produce widespread harm. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is an electrical block diagram of an exemplary packet 
data communication network in accordance with the present invention. 
5 FIG. 2 is an electrical block diagram of an exemplary router in 

accordance with the present invention. 

FIG. 3 is a flow chart depicting operation of the exemplary router 
in accordance with the present invention. 
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DETAILED DESCRIPTION OF THE DRAWINGS 

Referring to FIG. 1 , an electrical block diagram 100 of an 
exemplary packet data communication network in accordance with the 
5 present invention comprises an originator 102 that transmits data 

packets through the network. The originator can employ, for example, 
a workstation, a personal computer, or a portable or wireless 
multimedia device to transmit the data packets. The network can 
comprise an entry router 104 and various combinations of wired or 

10 wireless local area networks (LAN) 106, intermediate routers 108, 110, 
1 12, a wide area network (WAN) 114, and one or more servers 1 16. A 
typical destination of the data packets is, for example, the server 116. 
When the originator has malicious intent and wishes to harm all or part 
of the network, the destination can be either the server 1 1 6 or one or 

1 5 more of the routers 1 04, 1 08, 1 1 0, 1 1 2. 

One aspect of the present invention is to involve the routers of 
the network more effectively than has been done in the prior art, in 
order to detect and intercept harmful data packets, such as viruses, 
worms, and Trojan horses at the earliest possible point after entry into 

20 the network and before much of the network can become infected. 
Another and related aspect provides a "healing" methodology for the 
network or components within the network. For example, when the 
originator 102 is attempting to send harmful data packets into the 
network, the entry router 104 is the preferred choice for blocking the 

25 harmful data packets. In one embodiment, one or more of the 
downstream routers, e.g., the router 112, can be designated an 
"enhanced security" router, in that it can be programmed with more 
sophisticated detection mechanisms for locating harmful data packets 
than the upstream routers, and it would then collaborate with the 

30 upstream routers to coordinate and control the efforts to eradicate the 
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harmful data packets thus facilitating the above mentioned healing 
effect. This would allow some economic trade-offs to be made. 
Various techniques will be described further herein below for providing 
the collaboration among the routers of the network in accordance with 
5 the present invention to successfully detect and intercept harmful data 
packets near and over time even nearer their entry point. 

Referring to FIG. 2, an electrical block diagram of an exemplary 
router 200 in accordance with the present invention comprises a 
plurality of input/output (I/O) ports (1-N) 202 for communicating with 

10 other nodes of a network. More specifically, the I/O ports are for 

accepting a data packet sent from an originator via the router 200 and 
addressed to a destination device other than the router 200, and for 
transmitting the data packet to the destination device. The I/O ports 
202 are coupled to a processor 208 for processing the data packet in 

1 5 accordance with the present invention. 

The processor 208 preferably comprises a memory 210 
containing software and operating parameters for programming the 
processor 208. The memory 210 comprises a routing control program 
and database 212 for controlling the routing of data packets through 

20 well-known techniques. It will be appreciated that, for additional speed, 
the router 200 also can comprise special purpose hardware for routing 
the bulk of the data packets. The memory 210 also includes a node 
security program 214 for programming the processor 208 in 
accordance with the present invention. The node security program 214 

25 programs the processor 208 to monitor selected data packets as they 
enter the router 200, and to determine, on the fly or in near realtime, 
whether the data packets are potentially harmful to the destination 
device (or, alternatively, to the router 200 itself). The monitoring 
preferably begins with scrutinizing the nature of the control headers of 

30 the data packets for corruption. 
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Depending on the traffic the router 200 is handling, as well as a 
history of recently encountered harmful data packets, the monitoring 
can be done in several different manners. These include: random 
sampling of a subset of data packets; monitoring data packets having a 
5 predetermined source address; monitoring data packets having a 
predetermined destination address; or monitoring data packets having 
a predetermined combination of source and destination address. It will 
be appreciated that selection of the data packets to be monitored can 
also take into account the port numbers used by the source or the 

10 destination. Advantageously, random sampling of data packets 

reduces the processing burden on the router, and the sampling rate 
can be adjusted according to traffic and the frequency of attacks. 
Address-specific monitoring advantageously allows focusing on known 
suspicious originators and/or targeted destinations. 

15 The node security program 214 further programs the processor 

208 to interrupt transmission of the data packet in response to 
determining that the data packet is potentially harmful to the destination 
device, including communicating with a second router to cause the 
second router to interrupt transmission of a future data packet; and to 

20 transmit the data packet in response to determining that the data 
packet is not potentially harmful to the destination device. Once the 
decision has been made to interrupt the transmission of the data 
packet, the processor 208 can also be programmed to interrupt or 
discard later sent data packets from the same originator. 

25 There are several techniques that the node security program 

214 uses to detect harmful data packets. One known technique is to 
check for signatures or data patterns that can indicate the potential 
presence of known viruses, worms, Trojan horses, and the like. Also, 
because a definitive determination often is impossible after examining 

30 only a single data packet, when the processor 208 determines that a 
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first data packet is suspicious, e.g., the data packet resembles 
something harmful but additional data packets are required to confirm, 
the processor 208 preferably decides to monitor future data packets 
having at least one of the source address and the destination address 
5 of the first data packet, until a definitive determination can be made. In 
addition, the processor 208 preferably examines the headers of data 
packets, looking for corruption and/or the presence of executable code 
as is known, particularly when such corruption and/or code originates 
from a single source. In addition, user data in the data packets can be 

10 analyzed by known methods to determine whether it contains 

executable code. Diagnostic software also can be executed to check 
whether doubtful or sample-picked hardware or software in the network 
have been tampered with. 

The memory 210 also includes an up/downstream collaboration 

15 program 216 for programming the processor 208 to collaborate with 
other routers to block harmful data packets. The processor can, for 
example, send, using known techniques, a command addressed to the 
originator of harmful data, requesting address information for the 
routers participating in the handling of the command. Examples are 

20 the IP Ping and IP Traceroute commands. From the response, the 
processor 208 can learn the address of at least one upstream router 
that could have been used by the originator as the entry point to the 
network. The processor 208 then preferably collaborates with the at 
least one upstream router to intercept transmissions of the originator. 

25 This can be accomplished through a variety of techniques. For 
example, the processor 208 can send a command to the upstream 
router to intercept future data packets from the originator. Alternatively, 
the processor 208 can forward an agent (e.g., the agent 220) to the 
upstream router, where the agent is arranged to intercept a future data 

30 packet from the originator, through known techniques. Another option 
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is for the processor to cause the upstream router to update its 
capabilities (e.g., virus database) to detect a potentially harmful data 
packet. It should also be appreciated that the upstream router need 
not be a neighbor of the requesting router in order to have the 
5 upstream router block transmissions from the originator. That is, the 
upstream router can be remotely connected to the requesting router 
through other routers, LANs, and WANs. 

In addition, the memory 210 includes a learning program 218 for 
programming the processor 208 to learn about, through known 

10 techniques, e.g., from adulterated headers and suspicious user data, 
new harmful signatures to screen for. The new harmful signatures 
preferably are then communicated to upstream collaborating routers in 
the network. This advantageously can result in a dynamic, iterative, 
detect/warn/contain process for intercepting harmful data packets that 

1 5 provides a network healing effect. It is thus to be understood that the 
method and apparatus in accordance with the present invention 
advantageously provides a simple and effective way to intercept 
harmful data packets at or very near their entry point into the network. 
Referring to FIG. 3, a flow chart 300 depicts operation of the 

20 exemplary router 200 in accordance with the present invention. Flow 
begins with the router 200 monitoring 302 a selected data packet as 
described above. The router 200 then determines 304 whether the 
data packet is harmful, using at least one of the techniques outlined 
above. If so, the router 200 interrupts 306 the transmission of the data 

25 packet, and communicates 307 with at least a second router to cause 
the second router to interrupt a future data packet, as disclosed herein 
above. If, on the other hand, at step 304 the router 200 determines 
that the data packet is not harmful, the router 200 then transmits 308 
the data packet towards the intended destination. 
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It should be clear from the preceding disclosure that the present 
invention makes available a method and apparatus for providing node 
security in a router of a packet network. Advantageously, the method 
and apparatus is able to detect and eliminate potentially harmful data 
5 packets soon after they enter the network, and before they can reach 
destinations where they can produce widespread harm. This provides 
the healing effect for the network in the event harmful data is allowed to 
enter. 

Many modifications and variations of the present invention are 
10 possible in light of the above teachings. Thus, it is to be understood 
that, within the scope of the appended claims, the invention can be 
practiced other than as described herein above. 



8 



